Thursday, March 28, 2024

Commercial Remote Access Trojan (RAT) Remcos Spotted in Live Attacks

A remote access Trojan (RAT) is a malware program that incorporates a back door for administrative control over the objective PC.

RATs are normally downloaded invisibly with a client trusted program like games, Email attachments.

Remcos RAT was first sold in hacking forums in late 2016 and from that point it get’s updated with more features continuously, and recently Fortinet Security team identified this payload is distributed widely and the latest version is (v1.7.3).

Remcos right now being sold from $58 to $389, as per time frame and the maximum number of administrators or customers required.

Malware Execution with elevated privileges

Remcos RAT is being appropriated through malicious Microsoft Office documents passing by the filenames of Quotation.xls or Quotation.doc, which are most presumably connected to SPAM mails.

These malicious document macro are designed to bypass Microsoft Windows’ UAC security and execute malware with high privilege.

Commercial RAT Remcos Spotted in Live Attacks

To execute the downloaded malware with higher system permissions, it uses a well-known UAC-bypassmethod.

It endeavors to execute it under Microsoft’s Event Viewer (eventvwr.exe) by capturing a registry (HKCU\Software\Classes\mscfile\shell\open\command ) that it questions to discover the way of the Microsoft Management Console (mmc.exe).

The Event Viewer essentially executes whatever is in that way. Since the large scale’s shell command replaces the value from that registry section to the malware’s area, the malware is executed rather than the legitimate  mmc.exe.

Payload Binary’s

Remcos just incorporates UPX and MPRESS1 packers to pack and compress its server segment. In this sample, be that as it may, the attacker went further by including another layer of custom packer on top of MPRESS1.

Commercial RAT Remcos Spotted in Live Attacks

Remcos v.1.7.3 and its abilities 

Remcos Client has five main tabs with various particular capacities.  Although most of the parameters are disabled in the free form, we were able to simulate its client-server connection.

  • The Connections Tab is where all the active connections can be monitored.
  • Automatic Tasks is probably the most interesting feature of Remcos, as we haven’t seen anything like it on other RATs.
  • The Local Settings tab consists of settings for the client side.
  • The Builder tab is where the parameters of the created server binary can be customized.

Builder tab sub sections

  • Connection – sets the client IP addresses and ports where the server connects to upon installation.
  • Installation – configures the installation path, autorun registries, and a watchdog module that prevents termination of the process and deletion of its files and registries.
  • Stealth – this section dictates whether the server should appear on the system’s tray icon.
  • Keylogger – this includes the usual limits for a basic keylogger function.
  • Surveillance – gives the server an option to take periodic screenshots of the system or when specific windows are active.
  • Build – gives the option to pack the server binary using UPX and MPRESS.
  • The Event Log displays connection logs with the server, along with some information about the client’s status (updates, ports, etc.)
  • The About tab has acknowledgements and some promotions on other product.
Commercial RAT Remcos Spotted in Live Attacks

Samples (SHA256)

fc0fa7c20adf0eaf0538cec14e37d52398a08d91ec105f33ea53919e7c70bb5a – W32/Remcos.A!tr

8710e87642371c828453d59c8cc4edfe8906a5e8fdfbf2191137bf1bf22ecf81 – W32/Remcos.A!tr

8e6daf75060115895cbbfb228936a95d8fb70844db0f57fe4709007a11f4a6bb – WM/Agent.9BF1!tr.dldr

a58a64fce0467acbcaf7568988afc6d2362e81f67fc0befd031d3a6f3a8a4e30 – WM/Agent.9BF1!tr.dldr

IOC

Download URL: legacyrealestateadvisors[.]net/brats/remmy.exe

Command&Control:

  • remcos2.legacyrealestateadvisors[.]net
  • remcos.legacyrealestateadvisors[.]net

Also Read:

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles